You’d think a bank would do better than this.
ENABLER: Bank of America, N.A.101 South Tryon St., 8th Floor (email responses go there)
Charlotte, NC 28255-0001
OFFENDER(S) LA | VL | LP | LV | LM (initials only; I am in possession of full names, called out in emails) CHARGE Bank of America allows customers to sign up for their Online Banking and email notifications, without confirming via an email loop that the customer has accurately provided, and/or the Bank of America CSR has accurately acquired, the customer’s proper and true email address.
I’ve received multiple email messages for each of several of their customers. Some are notices for mortgage payments due, account application updates, survey notices and so on. I, too, get these notices as a B of A customer, so I know what they look like, and I’m very aware (and wary) of phishing attempts.
Bank of America, as you’ll see in the evidence below, not only allows their customers to give them inaccurate email addresses, but they send out emails to their customers complete with their full names, email addresses and the last four digits of their account number. This is dangerous, as an attempt at social engineering is far easier with that information in hand than without.
EVIDENCE Note that the actual customer’s name has been redacted, but I have that, as well as the last four digits of their account number.UNSUBSCRIBE VIA LINK? Yes, but that would only stop the symptom, not the problem. CAN-SPAM COMPLIANT? Yes [click for explanation] REHAB ATTEMPT I’ve contacted the Online Banking support team on numerous occasions, explained the issue, and have had both good and bad experiences with the CSR’s response. At no time have any of Bank of America’s representatives understood completely what I’ve explained, and given that the emails continue, nothing has been accomplished.
11/20/09: I searched online for the highest ranking security official within the Bank of America organization, former assistant director of the Criminal Investigative Division and former acting executive assistant director for Law Enforcement Services at the FBI, Chris Swecker, and called their Charlotte offices and asked for his office. They eventually gave me his voice mail. I left a clear voice mail as to why I was calling, with an explanation of the issues and what needed to be fixed.
RESULT No change DEVELOPMENTS As you read this, I have received no response at all from anyone at Bank of America.